[Git][security-tracker-team/security-tracker][master] Process some NFUs

Salvatore Bonaccorso (@carnil) carnil at debian.org
Sat May 9 07:25:52 BST 2026 


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
dc840785 by Salvatore Bonaccorso at 2026-05-09T08:24:43+02:00
Process some NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -87,7 +87,7 @@ CVE-2026-41889 (pgx is a PostgreSQL driver and toolkit for Go. Prior to version
 CVE-2026-41887 (Flarum is open-source forum software. Prior to versions 1.8.16 and 2.0 ...)
 	NOT-FOR-US: Flarum
 CVE-2026-41886 (locize is a localization platform that connects code and i18n setup. P ...)
-	TODO: check
+	NOT-FOR-US: locize
 CVE-2026-41885 (i18next-locize-backend is a simple i18next backend for locize.com whic ...)
 	NOT-FOR-US: i18next-locize-backend
 CVE-2026-41883 (OmniFaces is a utility library for Faces. Prior to versions 1.14.2, 2. ...)
@@ -99,53 +99,53 @@ CVE-2026-41690 (18next-http-middleware is a middleware to be used with Node.js w
 CVE-2026-41683 (i18next-http-middleware is a middleware to be used with Node.js web fr ...)
 	NOT-FOR-US: i18next-http-middleware
 CVE-2026-41591 (Marko is a declarative, HTML-based language for building web apps. Pri ...)
-	TODO: check
+	NOT-FOR-US: Marko
 CVE-2026-41588 (RELATE is a web-based courseware package. Prior to commit 2f68e16, the ...)
-	TODO: check
+	NOT-FOR-US: RELATE
 CVE-2026-41585 (ZEBRA is a Zcash node written entirely in Rust. From zebrad versions 2 ...)
-	TODO: check
+	NOT-FOR-US: ZEBRA
 CVE-2026-41584 (ZEBRA is a Zcash node written entirely in Rust. Prior to zebrad versio ...)
-	TODO: check
+	NOT-FOR-US: ZEBRA
 CVE-2026-41583 (ZEBRA is a Zcash node written entirely in Rust. Prior to zebrad versio ...)
-	TODO: check
+	NOT-FOR-US: ZEBRA
 CVE-2026-41576 (Brave CMS is an open-source CMS. Prior to commit 6c56603, the contact  ...)
-	TODO: check
+	NOT-FOR-US: Brave CMS
 CVE-2026-41575 (In th30d4y/IP from version 1.0.1 to before version 2.0.1, a DOM-Based  ...)
-	TODO: check
+	NOT-FOR-US: th30d4y/IP
 CVE-2026-41574 (Nhost is an open source Firebase alternative with GraphQL. Prior to ve ...)
-	TODO: check
+	NOT-FOR-US: Nhost
 CVE-2026-41570 (PHPUnit is a testing framework for PHP. In versions 12.5.21 and 13.1.5 ...)
 	TODO: check
 CVE-2026-41524 (Brave CMS is an open-source CMS. Prior to commit 6c56603, page and art ...)
-	TODO: check
+	NOT-FOR-US: Brave CMS
 CVE-2026-41512 (ai-scanner is an AI model safety scanner built on NVIDIA garak. From v ...)
-	TODO: check
+	NOT-FOR-US: ai-scanner
 CVE-2026-41511 (OpenMcdf is a fully .NET / C# library to manipulate Compound File Bina ...)
-	TODO: check
+	NOT-FOR-US: OpenMcdf
 CVE-2026-41509 (CROSS implementation contains reference and optimized implementations  ...)
-	TODO: check
+	NOT-FOR-US: CROSS
 CVE-2026-41507 (math-codegen generates code from mathematical expressions. Prior to ve ...)
-	TODO: check
+	NOT-FOR-US: math-codegen
 CVE-2026-41506 (go-git is an extensible git implementation library written in pure Go. ...)
 	- golang-github-go-git-go-git <unfixed>
 	NOTE: https://github.com/go-git/go-git/security/advisories/GHSA-3xc5-wrhm-f963
 	NOTE: Fixed by: https://github.com/go-git/go-git/commit/bcd20a9c525826081262a06a9ed9c3167abfcd53 (v5.18.0)
 CVE-2026-41497 (PraisonAI is a multi-agent teams system. Prior to version 4.6.9, the f ...)
-	TODO: check
+	NOT-FOR-US: PraisonAI
 CVE-2026-41496 (PraisonAI is a multi-agent teams system. Prior to praisonai version 4. ...)
-	TODO: check
+	NOT-FOR-US: PraisonAI
 CVE-2026-41493 (YARD is a Ruby Documentation tool. Prior to version 0.9.42, a path tra ...)
 	TODO: check
 CVE-2026-41491 (Dapr is a portable, event-driven, runtime for building distributed app ...)
-	TODO: check
+	NOT-FOR-US: Dapr
 CVE-2026-41487 (Langfuse is an open source large language model engineering platform.  ...)
-	TODO: check
+	NOT-FOR-US: Langfuse
 CVE-2026-41423 (Angular is a development platform for building mobile and desktop web  ...)
 	TODO: check
 CVE-2026-41308 (Password Pusher is an open source application to communicate sensitive ...)
-	TODO: check
+	NOT-FOR-US: Password Pusher
 CVE-2026-41161 (Sync-in Server is a secure, open-source platform for file storage, sha ...)
-	TODO: check
+	NOT-FOR-US: Sync-in Server
 CVE-2026-41070 (openvpn-auth-oauth2 is a plugin/management interface client for OpenVP ...)
 	TODO: check
 CVE-2026-3318 (Open redirection vulnerability in the latest demo version of the Cradl ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dc8407853b3cfe52bb711e8b6830bcae5839ec28

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dc8407853b3cfe52bb711e8b6830bcae5839ec28
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260509/cde40e88/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list